Making sense of Java security realities

Millions of people use Java everyday, but unfortunately, the number who are operating properly secured applications is much smaller. Matthew Schwartz wrote on InformationWeek that half of users are still on Java 6, which Oracle retired last month, which shows that most don't know how important making sure this program is secure as possible is. Without having it as up to date as possible, companies may fall victim to data security breaches or make themselves easy targets for attacks.

"In the wake of active attacks against zero-day vulnerabilities in Java that were being exploited to install McRAT malware, Oracle this week released Java 7 update 17 (it skipped issuing an update 16) and Java 6 update 43 (skipping update 42)," he wrote on the website. "Both updates patch two critical bugs, one of which attackers were exploiting to fully compromise vulnerable PCs. Needless to say, Oracle and security experts at large have recommended that Java users upgrade as soon as possible."

Security experts now count the time in between new attacks on Java in days rather than weeks and months, as it has become far more common of an exploit for hackers to go after this program.

Other facts about Java that Schwartz believes are important to keep in mind include:
– Oracle has improved the speed of patching security holes in Java, so companies that regularly update can keep updating the program and experience less problems than they would
– Businesses may want to disable their Java plug-ins, as security experts say the program on browsers cause some problems for organizations who use it too much, especially on websites they do not trust

To illustrate how dangerous Java can be if left to its current state, Jon Brodkin wrote on Ars Technica that a flaw identified in February allowed for a complete bypass of the Java security sandbox. Security Explorations, an online security firm, said the company looked to investigate the flaw and get back to them soon, but as it stood, the flaw could have been leverage to completely bypass security in the program.

"We've advised before that users who don't need Java should consider uninstalling it, or at least the Java plug-ins used to run Java content in web browsers," the website said. "Even savvy computer users aren't necessarily safe."